[00:04.230 --> 00:06.250]  Hello, this is Ismail Mejitas.
[00:06.490 --> 00:11.490]  I will present practical web pan testing using the most up-to-date version of Mr.SIP Pro.
[00:11.910 --> 00:14.110]  Mr.SIP is a SIP-based audit and attack tool.
[00:14.110 --> 00:20.910]  It's a software product that helps organizations to manage their communication infrastructure to perform web-specific security tests.
[00:21.410 --> 00:23.970]  The companies can also measure their risks.
[00:24.530 --> 00:26.530]  Please do start in our GitHub.
[00:26.530 --> 00:28.870]  Please follow our Twitter account for updates.
[00:28.870 --> 00:33.810]  And please subscribe our YouTube channel if you need 100 subscribers to update the URL.
[00:40.500 --> 00:42.740]  Let's talk about our agenda here.
[00:42.860 --> 00:44.820]  I will have a very short introduction.
[00:44.820 --> 00:48.140]  Then I will briefly talk about the timeline and the story of Mr.SIP.
[00:48.440 --> 00:52.200]  I would like to mention about some facts about voice over IP security.
[00:52.420 --> 00:56.420]  I will then share some information about Pro version modules of Mr.SIP.
[00:56.600 --> 00:59.440]  I will explain the functionalities and interaction between the modules.
[00:59.440 --> 01:01.960]  We will also look at our roadmap.
[01:02.380 --> 01:09.840]  And after briefly showing some basics of voice over IP and SIP, I will mention about today's voice over IP security threats.
[01:09.840 --> 01:13.320]  Then I will show the lab setup we will use during the demo.
[01:13.640 --> 01:15.860]  And the interesting part begins here.
[01:16.300 --> 01:20.900]  I will talk about three cool hacking stories which I will demonstrate using Mr.SIP Pro.
[01:20.980 --> 01:24.160]  The first story is actually based on a real incident.
[01:24.160 --> 01:30.580]  And we will show you how hackers made millions of dollars in large-scale cold fraud.
[01:30.720 --> 01:40.660]  For each hacking story, I will give baseline information, lab setup, steps to perform, the demo itself and the short conclusion.
[01:40.820 --> 01:45.120]  In addition, I will talk about how we developed advanced novel attacks.
[01:45.120 --> 01:48.440]  These novel attacks appear in academic literature using Mr.SIP.
[01:48.440 --> 01:54.060]  Finally, we will review how Mr.SIP fits to the overall voice over IP methodology.
[01:58.690 --> 02:01.010]  And here I will mention about my profile.
[02:01.010 --> 02:02.130]  You can call me Mele.
[02:02.290 --> 02:04.890]  I am a security researcher from Istanbul, Turkey.
[02:05.010 --> 02:08.110]  I mostly do offensive security research about voice over IP.
[02:08.510 --> 02:14.470]  I work as a principal pentest in a private bank and I have a PhD in computer engineering.
[02:14.790 --> 02:16.210]  I am an entrepreneur.
[02:16.210 --> 02:18.030]  In my free time, I do bug hunting.
[02:18.110 --> 02:21.730]  If you want to reach me out, please find me on LinkedIn, Twitter or GitHub.
[02:23.770 --> 02:25.990]  And here is my friend Kubilay.
[02:25.990 --> 02:28.450]  We gathered together since 2016.
[02:28.670 --> 02:30.770]  He is a PhD from Oxford University.
[02:30.770 --> 02:33.350]  He works at the cyber security center there.
[02:33.350 --> 02:36.490]  And he is an alumni from ETH3.
[02:36.670 --> 02:43.010]  He is mainly working in trusted computing, hardware-assisted security and Intel's SGX technology.
[02:43.650 --> 02:47.810]  You can reach him on LinkedIn for your questions or projects.
[02:49.090 --> 02:53.050]  Mr.SIP is a web security product that started as a hobby project.
[02:53.050 --> 02:57.010]  Mr.SIP resulted several academic research papers and journal articles.
[02:57.010 --> 03:00.750]  It is the most comprehensive attack-oriented voice over IP product ever.
[03:00.750 --> 03:02.530]  And you will see the reasons today.
[03:04.170 --> 03:08.070]  First time Mr.SIP appeared in a private company where I worked before.
[03:08.570 --> 03:13.890]  We have raised about 8 million Turkish Liras, near to 2 million Euros in research funds.
[03:14.470 --> 03:17.710]  First prototypes are funded and used by Turkish government.
[03:19.450 --> 03:25.130]  Between 2011 and 2015, Mr.SIP remained as a closed source.
[03:25.390 --> 03:28.910]  One independent project sequence began in a similar timeline.
[03:29.390 --> 03:32.590]  In 2012, we planned to employ Fatih.
[03:33.030 --> 03:37.330]  After some meetings and due to no NDA, he forked our project.
[03:37.950 --> 03:40.750]  It was our mistake that we did not have an NDA.
[03:41.110 --> 03:45.970]  In rest of the years, all the tools remained closed source and I left the company.
[03:47.710 --> 03:49.970]  We gathered a new team in 2016.
[03:50.630 --> 03:55.850]  We dedicated to reprogram all the tools utilizing all of our past experiences.
[03:56.370 --> 03:58.190]  The open source period began.
[03:58.510 --> 04:01.770]  We published the first open source version in 2017.
[04:02.170 --> 04:06.490]  And Mr.SIP appeared in Black Hat USA, Europe and Asia arsenals.
[04:06.650 --> 04:08.690]  And also the off-zone Moscow.
[04:09.670 --> 04:14.110]  We currently have 10 modules and we plan to add 5 new more modules.
[04:14.890 --> 04:18.930]  We will be gradually open sourcing more modules once they are mature.
[04:18.930 --> 04:22.130]  We aim to integrate in Kali Linux and Metasploit.
[04:22.130 --> 04:26.230]  And we look for collaboration from big Voice over IP vendors.
[04:28.170 --> 04:32.350]  Various reports show the current security risk in Voice over IP sector.
[04:32.350 --> 04:39.290]  According to CSCS 2019 report, the total loss of telecom fraud was $28.2 billion.
[04:39.290 --> 04:45.550]  And this corresponds to 1.74% of total telecom revenues.
[04:46.230 --> 04:49.630]  When we look at the most common weaknesses in the graphs on the left side,
[04:49.630 --> 04:54.650]  in the top three, we see that web users and VBA systems are targeted most.
[04:55.350 --> 05:03.610]  In the graphic on the right, we see that biggest risk for communication systems are denial of service attacks and caller ID information fraud.
[05:05.690 --> 05:09.850]  InstaSip is evolving and actively being used by researchers and practitioners.
[05:10.110 --> 05:13.730]  This demand from the sector confirms that we should make InstaSip better.
[05:14.430 --> 05:19.310]  It was shared on various popular forums and news sources including Black Hat's homepage.
[05:19.430 --> 05:21.830]  InstaSip was cited in Cisco publications.
[05:21.830 --> 05:30.770]  It was used in caller ID scoping tests as part of Turkish Standards Institute collaboration for national Voice over IP standard setting studies.
[05:30.770 --> 05:35.450]  It also has been used in various prestigious academic publications.
[05:38.210 --> 05:41.950]  Voice over IP technologies have unavoidable security threats.
[05:41.950 --> 05:44.490]  Voice over IP protocols are not designed securely.
[05:44.490 --> 05:48.790]  The products developed so far could not catch today's security requirements.
[05:49.270 --> 05:56.830]  Voice over IP security cannot be addressed correctly in corporate information security policies because they have low awareness about Voice over IP security.
[05:56.830 --> 06:01.410]  We foresee that Voice over IP security will gain more importance in the near future.
[06:01.410 --> 06:04.610]  And InstaSip is here to solve all the problems.
[06:07.250 --> 06:09.970]  InstaSip contains 10 modules in three categories.
[06:09.970 --> 06:13.570]  Information Gathering, Vulnerability Scanning, and Offensive modules.
[06:13.830 --> 06:17.850]  There are two helper components called IP Securing Engine and Message Generator.
[06:18.190 --> 06:21.950]  Green modules are included in the open source version, the public version.
[06:21.950 --> 06:24.870]  In pro version, we have added five more modules.
[06:24.870 --> 06:29.310]  We also extended the public modules with new features.
[06:30.090 --> 06:33.810]  Also in our roadmap, there are five new attack modules.
[06:33.810 --> 06:37.370]  In addition, we will develop an easy-to-use GUI.
[06:38.030 --> 06:45.270]  I will not go through each module one by one, but you will see in the live demos how we combine them to deploy large-scale attacks.
[06:45.990 --> 06:50.290]  If you have time in Q&A, we can discuss and explain the modules further.
[06:50.490 --> 06:52.830]  You can also read the documentation in our GitHub.
[06:57.600 --> 07:01.040]  It offers many innovative and competitive features.
[07:01.040 --> 07:08.580]  For example, high-performance multi-training, IP superfing, smart SIP message generation, self-hiding and intervention skills.
[07:08.780 --> 07:13.820]  MrSIP has also a customizable scenario development framework for stateful attacks.
[07:14.500 --> 07:19.680]  We have seen practitioners also use MrSIP as a client simulator and traffic generator.
[07:21.860 --> 07:27.560]  Banks, service providers and public institutions who has weighted infrastructure use MrSIP.
[07:27.980 --> 07:32.740]  Service integrators and consulting firms serving in the security field use MrSIP.
[07:33.160 --> 07:36.480]  We welcome if you have any novel use case of MrSIP.
[07:39.140 --> 07:43.620]  MrSIP is a tool that should be in every PAN testers' and red teamers' toolbox.
[07:43.860 --> 07:49.220]  It is also used to perform unit tests during the development of voice-over IP and security products.
[07:50.120 --> 07:55.500]  It is also useful at quality checking stage before purchasing such voice-over IP products.
[07:57.880 --> 08:03.480]  Now, before we go into technical details of MrSIP, let's understand how SIP works.
[08:03.760 --> 08:08.620]  There are three approaches of how voice-over IP is deployed and configured within organizations.
[08:08.620 --> 08:14.060]  These are internal voice-over IP implementation, managed services and online SIP tracking.
[08:14.320 --> 08:18.200]  For this presentation, we will target internal voice-over IP implementations.
[08:20.260 --> 08:23.280]  SIP is a text-based protocol very similar to HTTP.
[08:23.540 --> 08:26.300]  You can see the request methods and response types here.
[08:26.960 --> 08:30.380]  If you need more information on SIP itself, please ask in the Q&A.
[08:32.980 --> 08:36.680]  This is the very basic call flow for SIP.
[08:37.560 --> 08:40.100]  Normally, call flows can be more complex.
[08:40.440 --> 08:43.180]  This is between two users and the server in the middle.
[08:43.520 --> 08:47.560]  Although SIP is similar to HTTP, it is more complex than HTTP.
[08:47.560 --> 08:49.600]  RTP means the media.
[08:51.500 --> 08:54.360]  And this is a sample of an invite message.
[08:54.700 --> 09:00.880]  There are some specific headers and parameters which need to be vendor-specific and unique for each call.
[09:03.640 --> 09:08.320]  SIP uses a similar mechanism to HTTP known as HTTP digest.
[09:08.420 --> 09:10.920]  The user password is symmetrical and pressured.
[09:11.260 --> 09:18.560]  In SIP 2.0, MD5 hashing algorithm is applied to the authentication data before they are sent to the server.
[09:19.320 --> 09:22.340]  This is a sample of SIP register method.
[09:22.340 --> 09:25.860]  It shows the packet capture of SIP authentication request.
[09:26.080 --> 09:30.840]  This packet capture contains useful information to execute the authentication attack.
[09:34.800 --> 09:39.380]  We will demonstrate the VoIP security threats over three hacking scenarios.
[09:39.920 --> 09:43.180]  We will identify SIP servers and enumerate user extensions.
[09:43.420 --> 09:47.900]  We will talk about registration hijacking using SIP digest authentication cracking.
[09:48.160 --> 09:51.320]  We will do man-in-the-middle attack and sniff the SIP traffic.
[09:51.320 --> 09:58.760]  Call ID swiping, call e-mail swiping, telephony denial-of-service attacks are other security threats we are going to demonstrate.
[09:59.320 --> 10:03.620]  We will also abuse to non-vulnerabilities and exploits specific to SIP components.
[10:04.360 --> 10:06.640]  We have several live demos.
[10:06.660 --> 10:15.540]  In the long-distance call routing crowd demo, we will show how hackers deploy large-scale attacks to telecom companies' infrastructures.
[10:17.460 --> 10:20.820]  This is our VoIP security laboratory environment.
[10:21.320 --> 10:24.100]  We have three IP PBXs on the network.
[10:24.220 --> 10:27.160]  We use three SPACs and three PBXs as SIP servers.
[10:27.820 --> 10:32.420]  We have one attacker machine, which is Kali Linux, and MrSIP Pro is installed on it.
[10:33.040 --> 10:36.900]  There are some users registered on those PBX systems.
[10:36.900 --> 10:40.120]  We use Zoeper, Jitsi, and Minfone as soft clients.
[10:42.680 --> 10:45.160]  MrSIP is a console-based Python 3 tool.
[10:45.160 --> 10:49.420]  In order to run MrSIP in your Kali, you need to install some Python libraries.
[10:49.420 --> 10:52.660]  Please see our GitHub for full instructions.
[10:53.640 --> 10:57.580]  Here we will see how MrSIP modules work together to deploy an attack.
[10:57.620 --> 10:59.400]  Green modules are core modules.
[10:59.400 --> 11:01.100]  Blue ones are attack modules.
[11:01.380 --> 11:03.860]  External inputs such as dictionaries are in yellow.
[11:04.000 --> 11:06.880]  And gray ones are outputs of MrSIP modules.
[11:07.500 --> 11:18.140]  As you can see in the graphic above, SIP message generator feeds the network scanner, enumerator, vulnerability scanner, signaling manipulator, DOS attack simulator, and attack scenario player.
[11:18.140 --> 11:23.840]  The output of network scanner is given as an input to the enumerator and vulnerability scanner.
[11:24.700 --> 11:30.920]  In the graphic below, Sniffer, along with many of the middle attack modules, feeds evilspropper and cracker.
[11:30.920 --> 11:36.340]  The list of valid SIP users are the bold output of enumerator and evilspropper.
[11:36.680 --> 11:41.860]  Then all these outputs feed the predefined user agent and SIP extension dictionaries.
[11:43.000 --> 11:47.780]  Our first hacking story is registration hijacking for long-distance co-routing fraud.
[11:48.140 --> 11:50.600]  This attack is based on fraudulent traffic carrying.
[11:51.020 --> 11:54.000]  Hackers made millions of dollars in this fraud business.
[11:54.100 --> 11:56.560]  I will expose the details right now.
[11:57.000 --> 12:04.620]  With this attack, we target an enterprise that can make voice over IP calls over the internet, which means that they have SIP trunk services.
[12:05.400 --> 12:10.980]  As a result of this attack, the voice over IP infrastructure will be abused and will hit expensive bills.
[12:10.980 --> 12:18.740]  The underlying causes of the attack are the weak or no password policies specific to voice over IP services.
[12:18.900 --> 12:21.660]  This situation is often experienced in enterprises.
[12:22.220 --> 12:28.780]  Another reason we can say is that voice over IP communication takes place over unencrypted channels using UDP.
[12:29.980 --> 12:37.960]  The attacker's motivation is to gain user access, execute voice over IP wholesale carrier voice business through the stolen user accounts,
[12:37.960 --> 12:43.540]  and repeat this for hundreds of enterprises, resulting in million-dollar benefits.
[12:44.600 --> 12:48.820]  Our attack scenarios are authentication attack and registration hijacking.
[12:48.860 --> 12:56.060]  The techniques we will use are man-in-the-middle sniffing, digest authentication calculation, and dictionary-based password cracking.
[12:56.380 --> 13:00.420]  When we talk about our setup and attack steps, we have two assumptions.
[13:00.680 --> 13:04.260]  First, we were hired to make an internal voice over IP process.
[13:04.260 --> 13:07.760]  Second, the target SIP server can make voice over IP calls over the internet.
[13:07.960 --> 13:10.400]  And we know our target subnet.
[13:11.000 --> 13:15.600]  We will use network scanner, enumerator, sniffer, and cracker module of MrSIP Pro.
[13:15.720 --> 13:20.560]  We will use dictionary files as external input for user extensions and passwords.
[13:21.420 --> 13:29.080]  Our steps are, first, we will discover active SIP servers on the network and identify valid users on these servers.
[13:29.600 --> 13:34.240]  Then we will need man-in-the-middle and sniffing skills to capture SIP digest authentication data.
[13:34.240 --> 13:40.560]  And we will perform the necessary calculation in order to get the hash we need to crack.
[13:41.000 --> 13:44.680]  And then crack the password real-time with our built-in module.
[13:46.420 --> 13:50.600]  Our attacker machine is Kali Linux and MrSIP Pro is installed on it.
[13:52.620 --> 13:55.040]  For this demo, we will use two terminals.
[13:55.620 --> 14:03.300]  And the first thing we want to do is to start a SIP sniffer in terminal 2 using the IP address of our attack machine.
[14:04.240 --> 14:07.140]  Here we can see the SIP traffic activities performed there.
[14:17.100 --> 14:20.440]  We are launching our network scanner in terminal 1.
[14:20.740 --> 14:29.720]  And what SIPnest does is sending SIP option messages to all IP addresses in the given subnet to identify SIP servers according to their response status and user agent headers.
[14:30.720 --> 14:36.100]  And since we scan a subnet, we want it to be completed quickly and we gave the trading count 50.
[14:36.180 --> 14:37.640]  And the default one is 10.
[14:40.440 --> 14:43.480]  We could also give another message type instead of SIP options.
[14:43.480 --> 14:46.120]  Some servers may not respond to options.
[15:07.920 --> 15:15.200]  As a result, we detected two active SIP servers by scanning the entire network in 20 seconds and both are asterisk-based.
[15:28.980 --> 15:37.300]  This automatically writes SIPnest output to the ip__list.txt file for other modules to use.
[15:40.410 --> 15:48.570]  And we will run our SIP enumerator using the predefined user extension dictionary file named from.txt to detect users on the target server.
[15:55.170 --> 16:01.610]  And what it does is sending subscribe messages to the servers by default.
[16:01.610 --> 16:04.230]  We can use different messages too such as register.
[16:04.230 --> 16:08.190]  And it identifies wallet users according to their response status.
[16:08.630 --> 16:19.470]  And as output, it found wallet users through these servers and informed us if these users require an authentication or not.
[16:19.830 --> 16:23.290]  It detected 8 users in 10 seconds in total.
[16:23.290 --> 16:26.570]  Three of them don't have passwords at all.
[16:26.570 --> 16:28.690]  We can get these users directly.
[16:28.690 --> 16:35.530]  Now our goal is to get the passwords of five others on the list.
[16:42.510 --> 16:49.090]  For this, we are running our password cracker which performs SIP digest authentication breaking operation.
[16:50.290 --> 16:52.990]  We determined one server as target.
[16:52.990 --> 16:57.790]  As input, we need a password dictionary named wordlist__test.txt.
[16:58.770 --> 17:08.310]  What it does is listening the network using man-in-the-middle and sniffing skills, capturing SIP register messages and obtaining authentication data.
[17:08.310 --> 17:14.530]  And using the data it obtains, breaking the SIP digest authentication real-time and retrieving the passwords.
[17:16.010 --> 17:23.910]  With a soft client called Zoeper, for demo purposes, I trigger register and unregister activities for different users.
[17:23.910 --> 17:46.710]  And so our SIP crack module instantly involves and reveals the passwords.
[18:00.880 --> 18:09.160]  In summary, we found servers and users, we listened to the server, cracked the authentication and we took the users and committed fraud.
[18:09.480 --> 18:20.600]  As a final step, in case these users may force single registration, we can perform SIP registration erasure attack and drop their existing registrations and hijack them.
[18:20.600 --> 18:27.820]  By making this process periodic, we can repeat it over a wide network and increase the number of users we hijack.
[18:28.300 --> 18:41.100]  We can operate Osu! IP wholesale carrier voice or call shop or prepaid postpaid card business to make calls when the users we hijack are not using their accounts according to the country they are located in.
[18:41.260 --> 18:45.300]  Indeed, this is one of the most common hacker's attack methods.
[18:45.300 --> 18:52.560]  For example, in the night time, when real users sleep, we can start selling long distance calls in their accounts.
[18:53.260 --> 19:03.140]  This type of attacks earns millions of dollars by doing business only through hijacked VoIP accounts without running any telecom infrastructure.
[19:03.500 --> 19:09.280]  More than once, I was involved in the forensic examination of this type of attack in enterprises.
[19:09.500 --> 19:12.340]  And I will not mention about the company names.
[19:13.120 --> 19:18.140]  Our second hacking story is caller ID spoofing for a spear phishing campaign.
[19:18.780 --> 19:22.520]  Our target is any enterprise with VoIP infrastructure.
[19:23.180 --> 19:29.620]  As a result of the attack, the attacker may gain access to the systems or they can leak sensitive data.
[19:30.560 --> 19:39.620]  Reasons underlying the attack, we can say that VoIP communication takes place over unencrypted channels and the security awareness in the organization is low.
[19:39.620 --> 19:45.400]  The attacker's motivation may be to infect malicious software or steal sensitive data.
[19:45.620 --> 19:49.680]  Attacker may also steal credentials for remote access to the system.
[19:50.520 --> 19:56.020]  Our attack vectors, we can say caller ID spoofing attack and social engineering in combination.
[19:56.540 --> 20:00.820]  We will use techniques such as man-in-the-middle spoofing and SIP signaling manipulation.
[20:04.340 --> 20:10.120]  When we talk about our attack setup and attack steps, our assumption 1 is still valid.
[20:10.120 --> 20:13.760]  And we already know the target server IP address.
[20:14.140 --> 20:17.840]  We will use enumerator and eavesdropper modules of MrSIP Pro.
[20:17.960 --> 20:22.580]  We will use user extension dictionary file as external input.
[20:23.460 --> 20:28.440]  Our attack steps, we have already discovered the target server and wallet extensions.
[20:28.800 --> 20:33.780]  Then we will listen the active calls with our man-in-the-middle and sniffer-equipped modules.
[20:34.380 --> 20:40.100]  And we will both enumerate and use the obtained information in order to perform caller ID spoofing attack.
[20:44.550 --> 20:46.850]  Our attack setup is the same again.
[20:47.050 --> 20:50.590]  From the step in the previous attack, we target one of the SIP server.
[20:51.150 --> 20:55.230]  And let's run the enumerator and keep a record of which users are valid.
[21:08.740 --> 21:13.140]  And we have detected 5 active users and some users don't require authentication.
[21:13.980 --> 21:18.940]  However, keep in mind that with this attack method, we can guess valid users.
[21:24.990 --> 21:30.330]  Now, we will eavesdrop SIP calls by listening to the network with man-in-the-middle and sniffer.
[21:30.350 --> 21:35.310]  And we will both learn about the SIP call flow on the server.
[21:35.310 --> 21:41.110]  And we will make an alternative enumeration with the more real data.
[21:46.420 --> 21:50.320]  I made calls with two soft client applications for demo purposes.
[21:50.640 --> 21:54.340]  And when it gets, it shows the call with ongoing tag.
[21:55.060 --> 22:01.700]  And when the call ends, it can calculate the call duration.
[22:05.540 --> 22:08.860]  And we caught two calls for demo purposes.
[22:08.960 --> 22:14.360]  We know that 5,000 and 1,001 users are available to receive calls.
[22:25.710 --> 22:28.330]  Now, let's open a second terminal.
[22:32.520 --> 22:37.760]  And here, we can start our sniffer and observe our SIP traffic activities.
[22:59.810 --> 23:04.550]  Let's go back to terminal one and start the ColorID spoofing attack.
[23:06.010 --> 23:14.230]  And what we want to do is make a call from 1,000 to user 1,001.
[23:21.170 --> 23:28.450]  And when we send the custom invite package, we see that the call is taking place.
[23:35.280 --> 23:42.960]  In the same way, we have seen that we can make a call to the user 5,000.
[23:51.180 --> 23:56.540]  By using this attack systematically, we can make calls as insiders and perform phishing activities.
[23:57.420 --> 24:06.200]  As another attack scenario, we can create a list of target users, perform automatic calls to everyone, and play a pre-recorded media content to everyone.
[24:06.880 --> 24:09.120]  It may be an advertisement content.
[24:09.840 --> 24:12.960]  We carried out this demo attack on the internal network.
[24:12.960 --> 24:22.640]  But if the target server could receive and make calls over the internet, we would also be able to call and automate this job on the number we want.
[24:23.120 --> 24:27.460]  Of course, if you could make voice over IP calls over the internet on the attacker side.
[24:28.680 --> 24:36.240]  The only thing not here is to check if the voice over IP provider on the attacker side allows us to use custom invite message.
[24:36.240 --> 24:44.540]  Some countries and states may have regulation related to this and service providers may have implemented partial solutions to prevent this.
[24:49.200 --> 24:54.320]  Our third hacking story is abusing non-fluid-based telephone denial of service vulnerability.
[24:54.740 --> 24:58.640]  Our target is again any enterprise with voice over IP infrastructure.
[24:59.300 --> 25:04.860]  As a result of the attack, we can overload the capacity of the SIP server and cause a service interruption.
[25:04.860 --> 25:11.620]  Having the non-denial-of-service vulnerability of the target SIP server helps these attacks to take place.
[25:12.680 --> 25:19.040]  The attacker's motivation may be to cut off the accessibility of the target server and all the components it serves.
[25:19.460 --> 25:25.120]  Hackers can manipulate company's attention and carry out other insidious attacks.
[25:25.660 --> 25:33.240]  Our attack vectors are version-based scan for non-vulnerabilities and exploits and, of course, telephone denial-of-service attacks.
[25:33.240 --> 25:38.500]  We will use fluid-based T-DOS and IP spoofing techniques when performing the attack.
[25:44.830 --> 25:51.110]  Similarly, we assume that we are hired to punctest the company or any other similar ways to match this assumption.
[25:51.750 --> 25:54.710]  We have set the target server IP address.
[25:55.070 --> 26:00.030]  We use MrSIP Pro's vulnerability scanner and DOS attack simulator modules.
[26:00.130 --> 26:02.450]  We don't need any external input.
[26:03.210 --> 26:07.230]  Our attack steps. We already know the target server.
[26:07.230 --> 26:12.730]  We will scan for non-vulnerabilities and exploits using the server version information.
[26:12.830 --> 26:21.310]  And we will make the server inaccessible by performing fluid-based telephone denial-of-service attacks using the DOS vulnerability we have obtained.
[26:27.020 --> 26:29.540]  Our attack setup is the same again.
[26:30.480 --> 26:34.420]  Here I will work at three terminals this time for demo purposes.
[26:35.080 --> 26:42.900]  Two are offensive callings of which MrSIP Pro is installed and one of them is the target Twixbox SIP server.
[27:00.020 --> 27:04.860]  We have investigated non-vulnerabilities and exploits for our target server.
[27:04.980 --> 27:08.700]  We discovered 22 non-vulnerabilities and one exploit.
[27:09.420 --> 27:13.120]  And some weaknesses and exploits are familiar to me.
[27:14.240 --> 27:17.300]  I want to check the details immediately.
[27:19.320 --> 27:29.380]  Yes, as I guess, we know that there is a denial-of-service vulnerability against SIP invite fluid attack that I will perform with random users.
[27:33.170 --> 27:43.610]  I want to monitor the CPU and memory usage information of Twixbox in one terminal and I want to run sniffer in another to see our SIP traffic.
[27:54.520 --> 28:05.720]  In the last terminal, I will send 1000 SIP invite messages using random spoofed source IP addresses for the target SIP server.
[28:56.980 --> 29:00.800]  I started the attack and we can see the progress on the screen.
[29:02.220 --> 29:09.800]  Invite messages are starting to go away because these messages go from spoofed IP addresses and use UDP.
[29:09.800 --> 29:18.760]  Each response was retransmitted 7 times for 32 seconds due to SIP's own retransmission mechanism.
[29:22.840 --> 29:28.620]  And we can see that the output of top command is frozen at the terminal of Twixbox.
[29:29.320 --> 29:34.920]  In fact, this shows that the SIP server is no longer able to respond.
[30:03.540 --> 30:16.650]  I want to enter the web interface from the browser to verify, but I see that it's not accessible.
[30:33.070 --> 30:37.670]  Ping packets are reaching, but TTL seems to be strange.
[30:45.960 --> 30:49.800]  And I'm sure now that we are overloaded the server.
[31:02.320 --> 31:10.160]  I can stop the attack and can show that web interface is accessible right now.
[31:20.480 --> 31:25.860]  Although the main problem here seems to be that the SIP server works in a vulnerable version,
[31:26.200 --> 31:30.300]  we know that most networks are vulnerable to TTL attacks.
[31:31.340 --> 31:37.280]  Because the current security parameters cannot manage voice over IP protocols well in the application layer,
[31:37.280 --> 31:45.020]  and therefore cannot distinguish them from real traffic in the face of methods such as retransmission and reflection in the UDP usage.
[31:45.020 --> 31:53.460]  On the other hand, the approach of the attackers can attract attention and perform another insidious attack at the time.
[31:56.560 --> 32:02.940]  So far, we demonstrated three hacking stories. Now, we will further explain specific features.
[32:03.680 --> 32:07.660]  Attack scenario player allows you to perform stateful SIP call scenarios.
[32:07.660 --> 32:10.380]  We have predefined eight attack scenarios.
[32:10.380 --> 32:19.640]  It also allows you to develop new attack scenarios such as Distributed Reflected Denial-of-Service or Retransmission-Based Distributed Denial-of-Service.
[32:23.030 --> 32:27.350]  And these are the attack scenarios are developed for our connect studies.
[32:27.390 --> 32:32.230]  We named the first one Incomplete Invite Transaction DDoS with non-responding destination attack,
[32:32.230 --> 32:36.690]  and the second one Incomplete Invite Dialog DDoS without ACK attack.
[32:37.230 --> 32:40.530]  Both of them abuse SIP's retransmission mechanism.
[32:40.530 --> 32:46.850]  Since SIP often uses UDP in the retransmission layer, it has its own retransmission mechanism.
[32:46.890 --> 32:55.670]  In our academic research, we developed these two attack methods by using the weaknesses of the retransmission mechanism and brought them to the academic literature.
[32:56.190 --> 33:00.930]  This article was published in Elsevier's Computers and Security Journal.
[33:01.830 --> 33:05.430]  There is a prerequisite for the target in the first attack method.
[33:05.430 --> 33:12.750]  The target user should be registered to the SIP server, but they should not have access to the internet at that time,
[33:12.750 --> 33:17.530]  or their registration should be removed in some way at that time.
[33:17.530 --> 33:28.430]  No problem, we can provide this condition using the registration arranger attack we have added to the SIP ASP scenarios,
[33:28.430 --> 33:33.910]  or we can satisfy this precondition by performing Denial-of-Service attack to the target client.
[33:35.110 --> 33:44.810]  Then, what we want to do is send an invite message and wait for the SIP server to send the same invite message seven times for 32 seconds in total,
[33:44.810 --> 33:49.090]  using the retransmission mechanism to transmit this message to the other party.
[33:49.870 --> 33:59.790]  When no response is received from the other party, the SIP server will send us a 408 request timeout message and wait for an egg message from us.
[33:59.790 --> 34:10.390]  If we don't answer, it will assume that it cannot deliver the package and will retransmit it seven times for 32 seconds in total.
[34:10.710 --> 34:18.390]  Thus, by sending only an invite message, we occupy the source on the target server for 64 seconds.
[34:19.530 --> 34:25.970]  And we don't have a prerequisite in our attack in the second figure, the target users will be registered and accessible.
[34:25.970 --> 34:38.450]  Since we only leave the responses coming to us unanswered, we will potentially occupy server and target client resources for a minimum of 32 seconds.
[34:41.020 --> 34:45.500]  There is another attack scenario that we have developed for our academic studies.
[34:45.560 --> 34:49.520]  We named it SIP Request Reflection Attack, SR-DOS in short.
[34:49.920 --> 34:56.740]  Just like the ICMP SMURF attack, we also worked on attack methods that could reflect SIP requests and responses.
[34:56.740 --> 35:01.920]  And we brought our study results to the literature through our academic papers.
[35:02.560 --> 35:10.980]  Here, we have been able to enable these attacks by combining the weaknesses of some SIP headers priority and IP spoofing technique.
[35:11.120 --> 35:14.420]  This work was published in IEEE Access Journal.
[35:15.180 --> 35:19.740]  This is to visualize the waypoint test steps that we can do using MrSIP Pro.
[35:19.760 --> 35:23.080]  Maybe we can call it as workflow instead of methodology.
[35:23.080 --> 35:28.180]  If we call the open source version as version 1, we can call this one as version 2.
[35:28.620 --> 35:33.980]  This workflow shows what MrSIP Pro can do today and it will do more.
[35:34.060 --> 35:37.280]  Its scope will expand further with more advanced features.
[35:38.240 --> 35:41.120]  We thank our friends for their contributions.
[35:41.760 --> 35:44.260]  We also thank our lead maintainer Hakkı.
[35:44.260 --> 35:49.660]  He is a great programmer and he is available to hire for internships or full-time jobs.
[35:50.440 --> 35:53.060]  And we would like to expand our dictionaries.
[35:53.080 --> 35:58.100]  If you have any useful worklists in a related field, please share with us.
[35:59.200 --> 36:01.740]  And here are our references.
[36:02.020 --> 36:06.740]  If anyone is interested to further read, we have more details here.
[36:08.480 --> 36:10.300]  Thanks everyone for listening.
[36:10.300 --> 36:13.500]  And again, please give star in our YouTube.
[36:13.500 --> 36:17.660]  Please follow us on Twitter and please subscribe our YouTube channel.
[36:17.660 --> 36:19.360]  So we will update the world.
[36:20.040 --> 36:22.980]  These are my contact information if you want to reach out.
[36:23.080 --> 36:24.460]  I am Melih Tas on LinkedIn.
[36:24.840 --> 36:26.020]  Art and Science on Twitter.
[36:26.020 --> 36:27.260]  And Melih T on GitHub.
